Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Due to the Jakarta Multipart parser in Apache Struts mishandling Content-Type headers, an attacker can remotely execute code on vulnerable systems.

Apache Software Foundation has patched a remote code execution vulnerability affecting the Jakarta Multipart parser in Apache Struts. Administrators need to update the popular Java application framework or put workarounds in place because the vulnerability is actively being targeted in attacks.

The issue affects Apache Struts versions 2.3.5 through 2.3.31 and versions 2.5 through 2.5.10. The presence of vulnerable code is enough to expose the system to attack—the web application doesn’t need to implement file upload for attackers to exploit the flaw, said researchers from Cisco Talos.

Talos “found a high number of exploitation events,” said Cisco threat researcher Nick Biasini. “With exploitation actively underway, Talos recommends immediate upgrading if possible or following the workaround referenced in the above security advisory.”

The remote code execution vulnerability (CVE-2017-5638) in the Jakarta Multipart parser is the result of improper handling of the Content-Type header, Apache said in its emergency security advisory. The header indicates the media type of the resource, such as when the client tells the server what type of data was sent as part of a POST or PUT request, or the server telling the client what type of content is being returned as part of the response. The flaw is triggered when Struts parses a malformed Content-Type HTTP header and lets attackers remotely take complete control of the system without needing any kind of authentication.

“It is possible to perform a RCE [remote code execution] attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user,” Apache said in its advisory.

System administrators using Jakarta-based file upload Multipart parser, which is a standard part of the Struts2 framework, should upgrade to Apache Struts version 2.3.32 or 2.5.10.1.

Alternatively, administrators can switch to a different implementation of the Multipart parser, such as the Pell parser plugin, which doesn’t use the Common-FileUpload library and is therefore not at risk.

Another workaround is to implement a Servlet filter to validate Content-Type and throw away requests with suspicious values.

Cisco Talos observed two types of attacks: probing, to find out what the target network and systems look like, and malware distribution. The majority of the attacks appear to be using a publicly released proof of concept to run various commands, from simple commands such as whoamito more sophisticated commands which can pull down and run malicious ELF executables. For example, an attacker can use whoami as a probe to determine if the system is vulnerable and to find the user associated with the running service. If the command returns a power user, then the attacker can continue with a more sophisticated set of commands, Biasini said.

Talos also observed other attacks which turn off firewall processes and download malicious payloads from a remote server. “The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet,” Biasini wrote.

Apache classified the vulnerability (s2-045) as high risk in its advisory, but it doesn’t currently have a score under the Common Vulnerability Scoring System (CVSS). Considering this flaw doesn’t require the attacker to be authenticated; is not considered difficult to exploit; and can result in information disclosure and complete system compromise, the final score could be a 10, the highest, and most critical, rating possible under the system.

Qualys has developed a test probe, which sends a GET request in certain directories and try to run ifconfig or ipconfig commands, to detect if the system is vulnerable, said Amol Sarwate, the director of engineering at Qualys. A Metasploit module is also already available.